BreachExchange mailing list archives
How to get a grip on cyber security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Nov 2015 17:49:52 -0700
http://www.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2015/11/23/how-to-get-a-grip-on-cyber-security.aspx Cyber security is increasingly in the news, whether it’s a teenage boy hacking into Talk Talk or the chancellor’s recent announcement that the government will invest £1.9bn to beef up its virtual defences. All information, including employees’ records, is of value to the cyber crook. And when an attack happens the risks range from loss of revenue to fraud, reputational damage and even a fine from the regulator if you don’t take proper care of your data. Retail giant Morrisons is currently facing a legal claim brought by a group of 2,000 employees whose bank and salary details were leaked by a disgruntled colleague. Data held by many organisations is just not as secure as you might expect. “We’re vulnerable because we have not developed the securities that we should have done in the way we have with aeroplanes and cars,” says Martin Smith, chairman and founder of The Security Company and The Security Awareness Special Interest Group. “With computers we are now at the stage where we do need to be more secure. The problem is where do you start?” Get the basics in place “Many employers still haven’t figured out what they should be doing,” says Smith. But first you need to understand that there is a threat and then think about what impact any security breach could have on your business. He says ensure you’ve got the basic defences in place: firewalls, encryption and passwords. And make sure that they’re turned on. “It’s unbelievable, but people have firewalls and don’t turn them on. When an organisation forgets to turn on their firewall or encryption, it’s like someone saying they’re looking after their health because they’ve bought a subscription to the gym. It only works if you use it.” Tell your employees what you’d like them to do Most cyber attacks are not sophisticated, says Smith. “Every single attack starts with somebody opening a door by clicking on an attachment or giving away information. So educate your workforce on what it is you want them to do.” For example, tell staff they shouldn’t click on a link or attachment in an email if they are not 100 per cent certain that the source is trustworthy. It’s also important to discourage your staff from using passwords that are too simple. “The most popular password is still ‘password’,” says Smith. “Another common one is ‘123456’. I’m keen that it should be something memorable; just don’t share that information online. You can even write it down as long as it is somewhere safe. It’s about being pragmatic and practical.” Hire honest people and keep them honest HR has a big role to play in ensuring the ongoing security of an organisation’s data. “You need to make sure you hire honest people and that they stay honest,” Smith says. “That sounds very glib but it’s very important to make sure that when you recruit someone you check references and qualifications.” Smith says it is also about ensuring line managers keep an eye on people and look out to see if they’re careless, under stress or vulnerable. “This used to happen, but in the digital age because we work virtually or at home it’s more difficult to keep track of people than it used to be. People have their own computers and their own email addresses. Some employees have no human contact with line managers. This means it is even more important that you do keep track of people,” he says. “HR can also make sure people are properly trained and capable of using systems that are safe and secure.” Make security everyone’s responsibility Generally digital and online security falls under the auspices of IT. But Smith says your entire workforce can be your security team if you ask them to take care of data and watch out for suspicious behaviour. “Tell your workforce that they shouldn’t be sharing their passwords and that they need to change them if they think they’ve been compromised. And don’t leave systems logged on when unattended. “The biggest vulnerability of all is that most people are entirely trusting. We’re not trying to make everybody paranoid but that’s how criminals get in.” he says. “Almost all people are inherently honest and they will behave properly if told what it is you want them to do, so they understand.” Exercise caution with BYOD access People like to bring their own devices (BYOD), like mobile phones and tablets, into work, says Smith. But he cautions: “When you break down the barrier between your work and your personal life then you’re exposing yourself to huge risk. A crook could come in through your private profile and gain access to work information.” Smartphones can represent a huge data risk, he says, because they are powerful and have lots of data and access. They should be just as secure as other devices. “HR people need to be aware that the biggest danger to their organisation is not the inside crook, it’s the insider who is just unaware of the ways in which the crooks come in through them. The key to secure data is getting your staff to behave sensibly, to use the technology properly and to be aware of dangers.” Smith says: “If you follow half a dozen of these basic tips the majority of your vulnerabilities will disappear overnight. “Most attacks are not sophisticated and they never were because they don’t need to be. The crook doesn’t need to work very hard because most organisations are leaving their doors and windows wide open when it comes to cyber security. It’s like leaving a key on a piece of string inside a letterbox.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- How to get a grip on cyber security Audrey McNeil (Nov 24)